CVE-2024-6600 – This vulnerability in Angle's GLSL shader memor... (How to Fix)

Q: How do I fix CVE-2024-6600?

1. Open affected application (Firefox/Thunderbird). 2. Go to Help > About Firefox/Thunderbird. 3. Allow automatic update to complete. 4. Restart the application when prompted.

Q: What is the severity of CVE-2024-6600?

CVE-2024-6600 has a CVSS score of 6.3 (MEDIUM). This vulnerability in Angle's GLSL shader memory allocation on macOS allows out-of-bounds memory access when allocating large amounts of private shader memory. It affects Firefox, Firefox ESR, and Thunderbird users on macOS systems. Attackers could potentially exploit this to execute arbitrary code or cause crashes.

📋 TL;DR

This vulnerability in Angle's GLSL shader memory allocation on macOS allows out-of-bounds memory access when allocating large amounts of private shader memory. It affects Firefox, Firefox ESR, and Thunderbird users on macOS systems. Attackers could potentially exploit this to execute arbitrary code or cause crashes.

💻 Affected Systems

Products:

Firefox
Firefox ESR
Thunderbird

Versions: Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, Thunderbird < 128

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects macOS systems. Windows and Linux versions are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or malware installation.

🟠

Likely Case

Application crash (denial of service) or limited memory corruption leading to information disclosure.

🟢

If Mitigated

No impact if patched versions are deployed or affected browsers are not used.

🌐 Internet-Facing: MEDIUM - Requires user interaction (visiting malicious website) but affects widely used browsers.

🏢 Internal Only: LOW - Primarily affects client applications, not typically server infrastructure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user to visit malicious website with crafted WebGL content. No public exploit code known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 128+, Firefox ESR 115.13+, Thunderbird 115.13+, Thunderbird 128+

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2024-29/

Restart Required: Yes

Instructions:

1. Open affected application (Firefox/Thunderbird). 2. Go to Help > About Firefox/Thunderbird. 3. Allow automatic update to complete. 4. Restart the application when prompted.

🔧 Temporary Workarounds

Disable WebGL

all

Prevents exploitation by disabling WebGL functionality that uses GLSL shaders.

In Firefox/Thunderbird address bar, type 'about:config', search for 'webgl.disabled', set to 'true'

Use alternative browser

all

Temporarily switch to non-vulnerable browser until patches are applied.

🧯 If You Can't Patch

Restrict access to untrusted websites on affected macOS systems.
Implement application control to block execution of vulnerable browser versions.

🔍 How to Verify

Check if Vulnerable:

Check browser version: Firefox/Thunderbird > Help > About. If version is below patched versions listed above, system is vulnerable.

Check Version:

On macOS terminal: /Applications/Firefox.app/Contents/MacOS/firefox --version or check via browser interface

Verify Fix Applied:

Confirm browser version is Firefox 128+, Firefox ESR 115.13+, Thunderbird 115.13+, or Thunderbird 128+.

📡 Detection & Monitoring

Log Indicators:

Browser crash logs with WebGL/GLSL related errors
Unexpected memory allocation failures in browser processes

Network Indicators:

Traffic to websites hosting WebGL content
Unusual WebGL shader downloads

SIEM Query:

source="browser_logs" AND (event="crash" OR event="memory_error") AND process="firefox" OR process="thunderbird"

📊 Metadata

CVE ID: CVE-2024-6600

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CWE: CWE-770

Published: July 9, 2024

Last Updated: September 26, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1888340 Issue Tracking
https://www.mozilla.org/security/advisories/mfsa2024-29/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-30/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-31/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-32/ Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1888340 Issue Tracking
https://www.mozilla.org/security/advisories/mfsa2024-29/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-30/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-31/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-32/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6600, you might also want to check these: